Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1976
Views
0
Helpful
2
Replies

WAP321 - Guest SSID not working

mannygg13
Level 1
Level 1

‎01-29-2014 08:49 AM

                   I have a WAP321 with 2 SSID's.  One is for local access and another for guest.  The WAP connects to a 3550 and it's port is set to

description Cisco Wireless

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,20

switchport mode trunk

no ip address

spanning-tree portfast

     My ASA 5505 is set with both VLANs and I'm using DHCP to dishout the guest IP.  MyWAP has both networks setup. VAP 0 is setup for VLAN 1 and VAP 1 is for VLAN 20.  Both are enabled.

When connecting to my local wireless, I have no problem getting local access and Internet connection.  When I connect to Guest I get an IP from my ASA's DHCP, but I cannot ping my gateway, which is my ASA.  I know my guest VLAN is ok, because if I put a port on that VLAN, I can connect to the Internet.

When I do packet captures from the WAP (Administration-Packet Capture), I can't see any ICMP attempts either from the eth0 or VAP 1.  When I capture my machines wireless interface I see ICMP attempts with no reposnds.  It makes me think I missed something in the WAP321 setup.

Any ideas where to check?

Labels:
0 Helpful
2 Replies 2

Eric Moyers
Level 7
Level 7

‎02-03-2014 01:06 PM

Hi, My name is Eric Moyers. I am a Network Support Engineer in the Cisco Small Business Support Center. Thank you for using the Cisco Community Post Forums.

While what I am fixing to share is not in any way a great solution, It can be utilized as a workaround.

With the WAP321, after trying a few different scenarios that didn’t work. I simply created two vlans, left the Untagged vlan as main vlan and changed the Management vlan to the second. I then attached the guest SSID to the Management VLAN. This allowed me to authenticate to my guest captive portal and get an IP and get out to the internet. The Main SSID still worked normally.

Now for some caveats:

Problem: If a wireless client knows the IP of the WAP and the username and password they could get into the WAP.

Solution: Setup Management Access Control to an IP outside the DHCP scope for that VLAN and have a Strong Password.

Problem: Management of the WAP321 can only be from an IP on the Management VLAN. (In my case 2)

Solution: Setup Management Access Control to an IP outside the DHCP scope for that VLAN and have a Strong Password.

Not the very best solution, but the only workaround I can come up with for now.

Thanks

Eric Moyers    .:|:.:|:.

Cisco Small Business US STAC Advanced Support Engineer

Wireless Subject Matter Expert

CCNA, CCNA-Wireless

866-606-1866

Mon - Fri 09:30 - 18:30 (UTC - 05:00)

*Please rate the Post so other will know when an answer has been found.

0 Helpful

mannygg13
Level 1
Level 1
In response to Eric Moyers

‎02-06-2014 07:57 AM

Thank You Eric.

I already had the two VLANs so I changed the management VLAN to 20 and left my untagged to 1. 20 is my Guest Only.  After I tried to connect externally by pinging the gateway and it still failed.  BUT when I went to check the configuration, I forgot to change the static IP on the WAP.  So I cannot access it.  It still works because internal users work fine.  I work remotely, so I will have to drive in this weekend and reconfigure.  I will try the above again to let you know if it works.

Thanks!

0 Helpful
Customers Also Viewed These Support Documents